By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Are there AWS-based Symbolic Link access restrictions across instances in differents regions and subnets?

0

In my VPC, I have directory symbolic links allowing a local instance directory access to remote instance Windows UNC shared folders. For example, the link is created like so:

: on vm1 mklink /d shared-folder \vm2-machine\shared-folder

With a C++ example console app FindFirstFileA() call, the shared-folder is accessible and can list the files in the shared-folder.

However, the actual platform application we develop, does not see the shared-folder. It not a security error, FindFirstFile()/FindNextFile() API called just does not allow access to the folder items.

Assuming it was security related anyway, I decide to but the server under the debugger. My development machine is not on AWS. It is at my home office LAN. I duplicated the scenario by mapping a symbolic link to another machine on the local LAN. This worked fine. The LAN is on 192.168. private network,

So my question:

Are there AWS-based Symbolic Link access restrictions across instances on my AWS VPC where there is different regions and/or subnets?

Thanks in advance

Topics
Networking & Content DeliveryStorageAWS Well-Architected Framework
Tags
Amazon VPCAmazon FSx for Windows File ServerSecurity
Language
English
hsantos-ssi
asked 2 years ago230 views
3 Answers
0

The experiment works on your local physical LAN, as you don't apply microsegmentation. Every interface of instances on your VPC subnet has a security group, which enforces stateful microsegmentation (e.g. an incoming rule is created automatically when outgoing TCP session starts)[1] When you trying to access over network, you need to confirm that the protocols and ports are enabled in Security Group settings in the VPC. Additionally, check the NACL - network access control list, that operate in subnet level and are stateless (you need to define rules to allow communication in both incoming and outgoing directions)

References:

[1] https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html

[2] https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html

AWS
Vlad
answered 2 years ago
0

Thank you, Vlad. I will review the references. may I ask to possible explain the following:

  1. A simple console C/C+ directory listing app can access the remote symbolic link folder items.

  2. A backend p-code XYZ app run at the console level can also access the remote symbolic link items. THis would be a C/C++ app running a p-code app with an RTE engine. Pretty much like a C/C++ run time engine running a php, or python job.

  3. A web-based hosting server with the same RTE that runs the XYZ backend p-code app, can not access the remote symbolic link items. This would be a single process web server spawning client threads to process HTTP requests.

  4. Same as #3, perform at home non-AWS LAN, it works fine.

All is running in Administrator level.

If #1 and #2 works but #3 does not, the only diff are the layers of API piping that is governing the I/O. But this additional layer with #4 is fine on a non-AWS network. Is this a Windows OS issue? or still something related to AWS? Or both?

Thanks for your input , I will review the references.

hsantos-ssi
answered 2 years ago
0

Solution found:

This is not a AWS issue, but rather a Windows Service network security issue with Directory Symbolic Links. Running the file server application as a Windows Desktop allowed access to the remote symbolic link directory items. But not when running as Windows service (formerly called NT Service). When the service login credentials were changed to authenticated user with network access, the remote symbolic link directory items were accessible.

hsantos-ssi
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content